Executive Order 13873 focused on securing the information and communications technology and services supply chain against transactions involving “foreign adversaries.” Companies in the information and communications technology and services sector should carefully study the new definitions, processes, procedures, and implications of the Interim Rule to ensure business continuity and stability.
On January 14, 2021, the US Department of Commerce (Commerce) issued a new Interim Final Rule (Interim Rule) to implement Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain (Executive Order). The Interim Rule, published in the Federal Register on January 19, 2021, revamped the original proposed rule published on November 27, 2019, by adding details and processes to clarify the scope and reach of the Executive Order.
The Interim Rule is designed to establish the processes and procedures to create a framework to prohibit, mitigate, and unwind information and communications technology and services (ICTS) transactions involving “foreign adversaries.” The Interim Rule includes more details than the proposed rule first issued by Commerce on November 27, 2019; however, a number of areas require clarification and drafting prior to implementation. This gap results in ongoing uncertainty for companies operating in the ICTS sector or that use ICTS products or services for their business.
Although the Interim Rule indicates that a licensing process will allow companies to obtain authorizations to conduct activities with affected parties or products, that process was not included in the rule. The secretary of Commerce (Secretary) is expected to publish a framework for licensing within 60 days of the date the Interim Rule was published and will implement those procedures within 120 days of the Interim Rule’s publication. As a result, the regulation does not currently include a process of obtaining approvals to proceed and, therefore, is focused only on prohibitions, which, as noted in further detail below, require independent action by the Secretary before any activity can be viewed as prohibited.
In addition, similar to prior administrations, on January 20, 2021, the Biden administration issued a “Regulatory Freeze Pending Review” memorandum to the heads of executive departments and agencies, requiring the agencies to “consider” not proposing or issuing any rule “until a department or agency head appointed or designated” by President Joe Biden “reviews and approves the rule,” unless the rule is declared to be “for emergency situations or other urgent circumstances relating to health, safety, environmental, financial, or national security matters.” Thus, while any final or interim final regulations issued (even with delayed effective dates) can be considered outside the general scope of the Biden memorandum, President Biden retains the discretion to direct that agencies alter implementation dates, potentially suspend regulations, or otherwise modify existing obligations. The Biden memorandum therefore could impact the effective date of this Interim Rule and the timing for issuance of any licensing framework the Secretary may develop pursuant thereto.
Regardless of the delayed implementation and the likely “freeze” on the drafting of the licensing process, the potential that the regulations could proceed counsels that companies prepare for the requirements—which are focused on a structure that identifies specific transactions that are prohibited as they relate to directly identified parties.
The Interim Rule adds or modifies several key definitions that outline the areas where new authorizations may be required by Commerce. The key definitions include the following:
Foreign Adversary: The Interim Rule retains the proposed definition of “foreign adversary,” which means any foreign government or foreign nongovernment person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of US persons. However, it now includes a provision titled “Determination of foreign adversaries” and designates the following specific governments or foreign nongovernment persons as “foreign adversaries” subject to the Executive Order:
It further clarifies that this list of “foreign adversaries” is to be used only for purposes of the Executive Order, the Interim Rule, and any subsequent rules and not for other purposes. Commerce will periodically review the list and make changes as appropriate.
ICTS Transaction: The Interim Rule enhances the definition of “ICTS Transaction” by identifying the specific categories of transactions that are subject to the Executive Order:
It explains that the purpose of these additions is to clarify that the Secretary may review transactions, including the provision of services, that occur on or after the date of publication of the Interim Rule, “by any person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
Party or Parties to a Transaction: The Interim Rule defines this term to mean a person engaged in an ICTS Transaction, including the person acquiring the ICTS and the person from whom the ICTS is acquired. The definition does not include common carriers that transport goods for a fee on behalf of the general public, except to the extent the carrier knows or should have known it was providing transportation services of ICTS to one or more of the parties to a transaction that has been prohibited in a final written determination by Commerce or permitted subject to mitigation.
Person owned by, controlled by, or subject to the jurisdiction of a foreign adversary: The Interim Rule defines this term to include
Sensitive Personal Data: Sensitive data includes personally identifiable data that is maintained or collected by a US business and that is maintained or collected on over 1 million people over a 12-month period, and the results of individual genetic testing. Interestingly, this definition mirrors aspects of the definition of sensitive personal data used by the Committee on Foreign Investment in the United States (CFIUS) for reviewing the national security implications of cross-border investments. The Interim Rule also clarifies the categories of data of concern, including the following:
Undue or Unacceptable Risk: The Interim Rule adopts the definition of this term outlined in Section 1(a)(ii) of the Executive Order (i.e., sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of ICTS in the United States; catastrophic effects on the security or resiliency of US critical infrastructure or digital economy; or risk to national security or the security and safety of US persons).
In an effort to address a number of comments raised by concerned parties related to the scope and reach of the regulations, as well as the lack of specificity, the Interim Rule identifies six main types of ICTS Transactions falling under its scope that could be subject to the review, prohibition, and licensing process:
(1) ICTS that will be used in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors (e.g., Communications, Energy, Information Technology, Nuclear Reactors, etc.);
(2) software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems;
(3) software, hardware, or any other product or service integral to data hosting or computing services that use, process, or retain, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;
(4) certain ICTS products which greater than one million units have been sold to U.S. persons at any point over the twelve months prior to an ICTS Transaction;
(5) software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction; and
(6) ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
In considering a referral of an individual ICTS Transaction (or class of such transactions), the Secretary will first determine whether all of the criteria of Section 7.3(a) are met. Specifically, an ICTS Transaction may be subject to review if
Commerce declined to exempt any particular industry or geographic locations at this time, noting that national security issues may arise across industries. Based on how past administrations have addressed these types of national security concerns, maintaining flexibility to address changing geopolitical or security circumstances aligns with the authorities granted to the president and Commerce by the International Emergency Economic Powers Act (IEEPA). It is not unexpected for Commerce to consider it important to maintain the flexibility to review specifically identified transactions across industries.
The rule also specifies that an ICTS Transaction that involves certain technologies, hardware, or software will be considered “covered,” and makes clear that the acquisition of ICTS items by US persons as a party to a transaction authorized under a government-industrial security program is not an ICTS Transaction. Moreover, transactions solely involving personal ICTS hardware devices (e.g., handsets) are less likely to warrant particular scrutiny.
As mentioned above, Commerce intends to publish procedures for parties to seek a license within 60 days of publication, and to implement those procedures within 120 days of the publication date of the Interim Rule (i.e., May 19, 2021). The procedures are expected to establish criteria by which persons may seek a license to enter into a proposed or pending transaction or engage in an ongoing transaction.
A decision not to seek a license is not expected to create a negative inference or unfavorable presumption with respect to a particular transaction.
License application reviews will be conducted on a fixed timeline, not to exceed 120 days from accepting a license application, and applications will be deemed granted if Commerce does not issue a licensing decision within that timeline. However, the Interim Rule indicates that no licenses will be issued if doing so would reveal sensitive information to foreign adversaries or others who may seek to undermine US national security interests.
The Interim Rule clarifies that the review process does not apply to an ICTS Transaction that CFIUS is actively reviewing or has previously reviewed. The Interim Rule further clarifies that the rule applies to ICTS Transactions initiated, pending, or completed on or after publication of the Interim Rule in the Federal Register (i.e., January 19, 2021). Any act or service (e.g., execution of any provision of a managed services contract or installation of software updates) is an ICTS Transaction on the date the service or update is provided even if the service was provided pursuant to a preexisting contract (i.e., Commerce will view the initial and subsequent transactions as separately reviewable).
The Interim Rule outlines a more detailed review process for covered transactions (as requested by most of the comments on the proposed rule). It also provides (in a nonexhaustive list) information that the Secretary may rely upon in deciding whether to review (and during review of) a transaction, including information provided by any US government national security body or other federal agencies; public information; confidential business or proprietary information; classified national security information; information from state, local, tribal or foreign governments; and information from parties to a transaction.
The Secretary may consider any referral received based on a wide range of public and nonpublic information, upon written request of an appropriate agency head, or at the Secretary’s discretion. After determining whether the transaction is reviewable under the Order, the Secretary may (a) commence an initial review; (b) request additional information (as described above); or (c) reject the referral. The Secretary will issue a final determination within 180 days of accepting a referral. After receiving notice that a transaction is under review, parties will be required to retain any and all records related to the transaction.
The Interim Rule also outlines a broad range of information that will be considered in making determinations as to whether the transaction involves or includes a foreign adversary, including whether a party or its suppliers have facilities or operations in a foreign adversary, professional and personal ties between the party and a foreign adversary, laws in the foreign adversary country where a party is headquartered or has operations, and any other criteria the Secretary deems appropriate.
Commerce declined to create national security risk categories for transactions and insisted that risk management assessments of ICTS Transactions will be made on a case-by-case basis. The Interim Rule further explains the nonexhaustive factors for determining whether an ICTS Transaction poses an undue or unacceptable risk, including the following:
These are fact-intensive inquiries that will depend on the precise nature of the transactions at issue, including the products and services provided, the identity of the customer, and where in the country and telecommunications networks the products or services are to be used (e.g., the scope of the network, location of the network vis-à-vis US critical infrastructure, and interconnection of the network with other providers).
The Interim Rule provides that parties to a transaction may be required to furnish complete information related to any transaction under review under oath (including books, contracts, letters, electronic documents) and that such reports may be required before, during, or after a transaction under review. The Secretary will also have the ability to hold hearings, examine witnesses, subpoena attendance, take testimony of witnesses, and request production of materials in connection with review of ICTS Transactions. Commerce’s power to compel production of information includes the ability to issue subpoenas where needed, thus emphasizing Commerce’s intent to ensure it collects adequate information to make its assessment under the factors identified in the regulation.
If, after review of an ICTS Transaction, the Secretary determines that the transaction poses an unacceptable risk, the Secretary will issue an initial written determination explaining the finding and whether a decision has been made to prohibit or mitigate the transaction. This notice will be provided to all parties to the transaction. Within 30 days of being notified of an initial determination, parties may respond and propose remedial steps. If a party does not respond within this timeframe, the initial determination will become final. The parties can also request a meeting with Commerce, but the department is under no obligation to take the meeting.
Any final determination issued by Commerce will state that a transaction is either prohibited, not prohibited, or permitted with mitigation. The written final determinations will include instructions on cessation of a prohibited transaction and penalties that may apply. If the Secretary determines that a transaction should be prohibited, it will include a specific description of the prohibited transaction to which the prohibition will apply. In its final determination, the Secretary has discretion to “direct the least restrictive means necessary to tailor the prohibition to address the undue or unacceptable risk” posed. The Interim Rule does not further specify the types of “least restrictive means” that the Secretary can use and transaction parties are likely to have limited ability to challenge the Secretary’s discretion.
Final written determinations will be published in the Federal Register with confidential business information omitted.
Any person who violates a final determination, direction, or mitigation agreement may be liable for civil and criminal penalties under IEEPA. Violators may be subject to civil penalties of up to $307,922 or twice the amount of the transaction that is the basis of the violation (whichever is greater). Criminal violations may result in a fine of not more than $1 million (or in the case of an individual, up to 20 years in prison or a fine). The rule also clarifies that other penalties for false statements to the US government could apply as well.
The Interim Rule was published in the Federal Register on January 19, 2021, and becomes effective on March 22, 2021. Commerce invites interested parties to comment on the Rule within 60 days (i.e., by March 22, 2021) after publication. This is also the deadline for the Secretary to issue regulations regarding licensing of ICTS Transactions, which are expected to be fully implemented within 120 days from publication of the rule in the Federal Register.
Companies in the ICTS sector should carefully study the new definitions, processes, procedures, and implications of the Interim Rule to ensure business continuity and stability. Companies should keep in mind that this Interim Rule is not self-executing, i.e., an affirmative action by the Secretary is required before any particular transaction (or class of transactions) shall be prohibited. However, the Secretary has wide latitude to determine which transactions should be subject to review. Therefore, although it is not possible to determine with specificity exactly which transactions are vulnerable to potential prohibition, the Interim Rule identifies foundational considerations for companies to keep in mind moving forward.
To the extent that an ICTS Transaction is believed to be reviewed and declined by Commerce, companies should establish contingency plans in anticipation of the review. Alternatively, companies are advised to continue monitoring for Commerce’s issuance of licensing procedures and to consider exploring the option to file a license application with Commerce (once regulations outlining that process are issued).
Finally, companies should consider filing comments on the Interim Rule to advocate for additional clarification and guidance from Commerce before the licensing procedures are issued and the Interim Rule takes effect.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors, Patricia C. Cave, Giovanna M. Cinelli, Jiazhen (Ivon) Guo, and Kenneth J. Nunnenkamp, or any of the following Morgan Lewis lawyers:
Washington, DC
Katelyn M. Hilferty
Christian J. Kozlowski
Boston
Carl Valenstein